BSidesSF 2024: Pretty Good

I was at BSidesSF last weekend, and it was pretty good! I visited a bunch of villages, did a bunch of CTFs, picked a lot of locks, and met some really cool people. Anyways, here’s the good, the bad, and the travel advice for any future attendees of a BSidesSF event.

Background

BSidesSF 2024 took place at the City View at the Metreon from the 4th to the 5th of May. My understanding is that it’s taken place at this venue in the past before, though the timing of the event isn’t always the same. On each day, the main event opened up at 9 AM and closed at 5 PM, though the venue stayed open after 5 PM on Saturday for a happy hour and afterparty.

BSides is a collection of loosely affiliated and usually locally organized hacker conventions. I refrain from referring to these as information security events because I believe there’s a distinction to be made between hacker events and information security events; BSides events can be likened to DEF CON as opposed to something like RSA Conference or Black Hat USA. This isn’t to say that one is better than the other, just that one has hints of anarchy and rule-breaking while the other is professional and corporate. Both fit different niches for different audiences.

Though I’ve attended hacker meetups and conventions in the past, this was my first time attending a BSidesSF. I went with my partner, two other hackers, and one developer. Of our party, I was the most involved in hacker culture, so I had naturally assumed a pseudo-tour guide kind of role.

Tickets

You can purchase tickets at the venue or online. This year, tickets were $70. There are a variety of discounts, though; the student discount gets you 50% off if you purchase online. When you purchase online, you’ll get a confirmation email with a QR code that you can scan at the registration table in order to get a badge. Wear this badge in order to get admission into the event.

Travel

Our party is from the Central Valley, so we traveled by Amtrak. An Amtrak trip from the Central Valley to San Francisco will typically consist of two legs: one leg from the origin station to Emeryville via passenger train, and one leg from Emeryville to an Amtrak bus stop right outside the Salesforce Transit Center in San Francisco by charter bus. In case you’ve never travelled by Amtrak before, Amtrak connections are typically guaranteed, so a connecting bus will not leave until the passengers from the train have arrived and vice versa. From the Salesforce Transit Center to the Metreon, it’s about a 10 minute walk. San Francisco has garnered a lot of (deserved) attention about the rising crime rates lately, but it was a pretty safe walk during the daytime.

For the return trip, one of my friends from the Bay Area drove us back. We took the BART rail from Powell Station to a station near his family’s home on the East Bay, and then completed our trip by car. Powell Station is easily within walking distance from the Metreon if you’re planning on taking the BART in either direction. The BART was a pleasure; they have plenty of ticketing stations at Powell Station and it was very easy to navigate, and our train was pretty dense and safe.

Keep in mind that if you purchase a physical BART transit card, called a “Clipper,” there’s an additional $3 fee for issuance. One of our party members didn’t understand this, so she was blocked from exiting the destination station until she paid the difference.

San Francisco Safety

As previously mentioned, San Francisco has been in the news a lot lately for the rising crime rates amidst a fentanyl crisis. This is true, and if you wander around the area, then you can see this everywhere. There were people on the street doing drugs in broad daylight, and it got significantly worse at night. Walking around, it’s easy to get solicited by people on the street asking for something or trying to sell you something.

Youth gang activity is high in the area. I saw plenty of gangsters on the corners and in groups. Don’t engage with them and don’t go near them. When solicited by someone on the street, the best response is to not give a response, or to say “Sorry, no.” That’s all you need to do. Be street smart and don’t be an idiot.

Importantly, don’t wander too far north from the venue. A few blocks away is the Tenderloin, the worst of it all. All it takes is the wrong turn. Honestly, just be plain, don’t stand out like a sore thumb, be smart, don’t be an idiot, know where you’re going, and you’ll be fine. If you’re traveling in a group, don’t endanger your group by being an idiot.

The Metreon itself is very safe and has plenty of security guards. At the venue inside the Metreon, there’s absolutely no question about safety; you could probably leave your wallet out on the table and you’ll be fine – your fellow con-goers have no interest in doing you any harm, and they’re glad that you’re there to jam with them.

Vibes and Dress Code

Unlike RSA Conference or Black Hat USA, BSides and DEF CON are pretty casual. T-shirt, shorts, fine. Hoodie, jeans, fine. Just about anything goes, but maybe don’t dress too formally. If you’re wearing a full suit, you’ll stick out like a sore thumb. Maybe you want everyone to know you’re important or you’re in management, which is fine if that’s what you’re going for, but for the rest of us, keep it casual. If you’re there to do some professional networking or job hunting, a button-up and some slacks should do the trick. Think business casual.

Coat Check

There’s a “coat check” area where you can check in your bags if you’d like. This can be really useful if you’re carrying a lot of additional weight and would like to shed some burdens, though frankly, you should be keeping your luggage in your hotel. Still, this can be useful if you want to drop off a purse or a swag bag and retrieve it later. This is a guarded area attended by staff, and you can only interact with it at the front desk, so your items are reasonably secure.

Villages

Villages are my favorite part of any hacker event. This year, we had:

At BSides, villages aren’t large enough to be given their own rooms. Instead, they’re given some floor space at the venue. They’re given the room to set up some tables, some demos, and a bunch of chairs. You don’t need to ask to sit down at a village, though it’s courteous to ask the people there first if a seat is taken before sitting down. Please don’t by shy about sitting down at a village – we love meeting new people!

Booths

There were a lot of booths lining the venue! A few big names stood out: Wiz, Microsoft, GitHub, Google, and Slack, to name a few. They usually have a bunch of stickers, shirts, water bottles, and other swag to give away. If you’re job hunting, it’s worth striking a conversation and exchanging LinkedIns. Though not out of the question, it doesn’t usually make sense to be doing business at an event like this; you can save that for a corporate convention.

CTFs

CTFs are another thing that I love about hacker events. I recommend walking around the villages and seeing what CTFs are going on and asking the organizers how you can get started with their CTF. Unlike online CTFs, which are restrained by the limitations of the online format, in-person CTFs can take advantage of the real world. This can mean real-life computer networking setups, wireless challenges, ICS/SCADA systems, etc.

I have a lot of fun going to CTFs and playing around. The villages usually have prizes too, though I’m really just there to see what they have and learn some new things. I would highly recommend sitting down and trying a few challenges. In-person CTFs are something that you can only experience by – well – being there in-person.

Keep in mind that the Hardware Challenge Village is not the Hardware Hacking Village. The hardware challenge is mostly non-technical and not very in-depth about hardware hacking. I asked a village organizer and he explained that they weren’t allowed to bring soldering irons into the venue, so they focused on a challenge involving hardware rather than a hardware hacking due to the limitations imposed on them by the venue.

Talks

There’s a stage for talks, though frankly, the audiovisual setup was not too great. Having to share the room with the rest of the convention adds a lot of noise and difficulty in hearing the speaker. If there’s a talk that you’re really interested in, I recommend trying to see if you can find it on YouTube instead. I wouldn’t really recommend attending a talk; they’re not very groundbreaking, to be frank.

Catering

Breakfast and lunch are included with your ticket. There’s a section of the room dedicated to catering. You can serve yourself. The setup is pretty clean and you should do your part to keep it that way. There are vegetarian and vegan options as well as allergen information cards. I recommend waiting towards the tail end of the breakfast/lunch rush. You can eat outside on the patio where there are dedicated seating areas, or at a village table if they allow it.

There are also complimentary water and coffee bars everywhere available throughout the duration of the event. There’s an alcohol bar available throughout the duration of the event too, though I didn’t visit it as I’m sober, so I’m not sure what they have going on there.

Saturday Night Party

There’s a party on Saturday night. Your tickets include 2 free drink vouchers that you can redeem. Although there are alcoholic options, this party is sober-friendly. This is a great opportunity to meet people – I actually got my badge signed by the guy who made them, which was pretty cool!

Final Event Advice

Definitely go outside your comfort zone and meet people! There are a lot of really cool people who I’m glad to have met, three of whom we’ve exchanged contacts and I expect to continue talking to in the future. It can sound intimidating, but it can be surprisingly easy when you’re in an environment where everyone has equally obscure interests as you. My partner and I spent hours at the lockpick village talking to people while picking locks and now we’re prospective TOOOL SF members.

As far as OpSec goes, you can chill. You can use your personal phone. You can use your normal laptop. You don’t need burners. I’d still recommend tunneling your traffic through a VPN with strict LAN security settings if you connect to their network for some peace of mind, but honestly, you should be reasonably fine without it.

Have fun. Remember to play CTFs to have fun and learn new things, not to win. Don’t take yourself too seriously. Don’t beat yourself up if you can’t figure something out, because there’s probably someone in the room who’s more than excited to talk to you about it. Meet people and make friends. Let go and let yourself engage in the hacker culture and community for the sole purpose of having fun.

Other Travel Advice

The Museum of Modern Art is right across the street from the venue. I’d highly recommend making some time to go visit it. There are some truly beautiful works there, though I understand that not everyone may have the same appreciation for modern art that I do.

There are a lot of hotels near the venue. We stayed at The Mosser, which is a budget-friendly 3-star hotel that’s nothing to brag about. If you stay at The Mosser, beware that the walls are paper thin, so you should have some neighbor manners and the common courtesy to be quiet. There are other options as well, such as the Marriott Marquis, Hyatt Regency, and Four Seasons, all within walking distance, which we’ll probably be staying at next time.

There are some great food and drink options near the venue. We visited Ippudo, Delarosa, and Feng Cha, which were all down the same lane across the street from the venue. For dinner on Sunday, we went to Hinodeya, which had great food but a frustrating point-of-sale system and a seedy walk. When visiting the Museum of Modern Art, we also visited the cafe which had some great mocktails.

Anyways, I’m looking forward to next year! Though for next year, I’ll probably opt for a private hotel room with just myself and my partner at somewhere more upscale. I hope San Francisco can make progress tackling its fentanyl and crime epidemic, because it truly is a beautiful city with a lot to brag about after that. Until next time,

Happy trails!